Has Stuxnet changed the face of computer security forever?



The cleverly-written malware Stuxnet has scarcely been out of the headlines during the last few weeks, after being linked to technical disruptions at the Bushehr nuclear power plant in Iran. The malware, which has infected computers worldwide, appears to be the first serious effort to write a virus that attacks supervisory control and data acquisition (SCADA) systems - the types of system that run power stations, sewage treatment facilities and other industrial plants.

Technical analysis has shown the malware to be incredibly sophisticated. It was developed to attack a particular type of programmable logic controller, and according to analysis from security company Symantec, would have been written using up to 10 core software developers over six months. It would have been tested on a replicated version of the process control hardware. The attack was so sophisticated that the developers must have stolen digital certificates used to sign driver files in the target systems, say experts.

We have seen sophisticated attacks on specific entities before. Some 30 or more technology companies were attacked using a zero day vulnerability in Internet Explorer 6 during 2009 in an operation that became known as Aurora. But that attack still focused on digital intrusion and appeared to have been orchestrated in an effort to compromise intellectual property.

The difference with Stuxnet is that it was specifically designed to bridge the gap between the digital world and the physical one. Once compromised, process logic controllers can be made to behave in ways that can seriously disrupt industrial processes, by spinning engines out of control, opening and closing valves and sending power surges.

No wonder that the European Network and Information Security Agency (ENISA), Europe's cyber security agency, calls Stuxnet a paradigm shift in the security threats landscape.

"Stuxnet is a new class and dimension of malware," said the executive director of ENISA, Dr Udo Helmbrecht. "The fact that perpetrators activated such an attack tool can be considered as the 'first strike', i.e. one of the first organised, well-prepared attacks, against major industrial resources."

Helmbrecht considers Stuxnet to be a game changer in terms of critical information infrastructure protection. Key to successful protection against attacks like Stuxnet is a united approach to the threat, ENISA argues. A co-ordinated reaction involves key players from both the private and public sector, it warns, arguing that no single entity can prevent an attack like Stuxnet on its own.

Stuxnet raised the stakes for cybersecurity, pushing us into an age of highly sophisticated cyber-attacks that cause real-world physical damage. Hopefully, chief security officers (you do have one, don't you?) will up their game accordingly.

Anthony Plewes

After a Masters in Computer Science, I decided that I preferred writing about IT rather than programming. My 20-year writing career has taken me to Hong Kong and London where I've edited and written for IT, business and electronics publications. In 2002 I co-founded Futurity Media with Stewart Baines where I continue to write about a range of topics such as unified communications, cloud computing and enterprise applications.